Cisco ASA Defaults that Break Things

The Cisco ASA is an excellent network security device, but several factory defaults can break some typical network traffic. These settings might be good to change on standard deployments.

  • Turn On “inspect icmp” to allow ping responses through
  • Turn On “inspect icmp error” to fixup non-ping ICMP responses through NAT
    • Enable incoming icmp time-exceed and unreachable traffic on outside incoming access-list
    • This allows return messages for path mtu detection (PMTUD) and traceroute among other important things used by the TCP/IP stack to deal with end-to-end MTU limits and other common routing errors.
  • Turn Off “inspect esmtp” under global_policy inspection_default
    • This setting often breaks communication between mail servers like email gateways and Exchange servers. It also breaks the ability to test SMTP with telnet or other common troubleshooting tools.

There are many settings out-of-box that a deployment might want to change, but these are a few that have been on my mind recently and I wanted to write this down. 🙂

About notesbytom

Keeping technology notes on to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in Networking and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s